← Back to Explore
sublimehighRule
Attachment: Filename containing Unicode braille pattern blank character
Recursively identifies attachments that attempt to conceal their true file extension by using Braille Pattern Blank characters
Detection Query
type.inbound
and any(attachments,
regex.icontains(.file_name, '\x{2800}')
or (
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), regex.icontains(.file_name, '\x{2800}'))
)
)
Author
vector_sec
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: 'Attachment: Filename containing Unicode braille pattern blank character'
description: |
Recursively identifies attachments that attempt to conceal their true file extension by using Braille Pattern Blank characters
references:
- "https://www.bleepingcomputer.com/news/security/windows-vulnerability-abused-braille-spaces-in-zero-day-attacks/"
- "https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/"
type: "rule"
authors:
- twitter: "vector_sec"
severity: "high"
source: |
type.inbound
and any(attachments,
regex.icontains(.file_name, '\x{2800}')
or (
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), regex.icontains(.file_name, '\x{2800}'))
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "c230ca86-f563-58b0-8667-5052cc9bf3c6"